1 files changed, 17 insertions, 0 deletions

diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
index b50c22cc..5a13957d 100644
--- a/sites/www/changelog.rst
+++ b/sites/www/changelog.rst
@@ -2,6 +2,23 @@
 Changelog
 =========
 
+- :bug:`-` Modify protocol message handling such that ``Transport`` does not
+  respond to ``MSG_UNIMPLEMENTED`` with its own ``MSG_UNIMPLEMENTED`` message.
+  This behavior probably didn't cause any outright errors, but it doesn't seem
+  to conform to the RFCs and could cause (non-infinite) feedback loops in some
+  scenarios (usually those involving Paramiko on both ends).
+- :bug:`1283 (1.17+)` Fix exploit (CVE pending) in Paramiko's server mode
+  (**not** client mode) where hostile clients could trick the server into
+  thinking they were authenticated without actually submitting valid
+  authentication.
+
+  Specifically, steps have been taken to start separating client and server
+  related message types in the message handling tables within ``Transport`` and
+  ``AuthHandler``; this work is not complete but enough has been performed to
+  close off this particular exploit (which was the only obvious such exploit
+  for this particular channel).
+
+  Thanks to Daniel Hoffman for the detailed report.
 - :support:`1292 backported` Backport changes from :issue:`979` (added in
   Paramiko 2.3) to Paramiko 2.0-2.2, using duck-typing to preserve backwards
   compatibility. This allows these older versions to use newer Cryptography